Can anybody tell me whether this is in fact a standard method which is likely to stay there? Or is there another way of doing what we want to do: to verify that a user's access token is valid and comes from our facebook app.

You can call me/permissions and me?fields=installed, but neither of these seem to tell me WHICH facebook app we're checking.

There is a similar question on so. I don't think you really need to validate whether the access token belongs to your specific app. You just use it with your app and if it does not belong to it you get an error.
–
borisdiakurAug 14 '12 at 9:59

@Lego, thanks. But the thing is I am NOT getting an error - our backend just calls FB Graph API with the access token, and as long as it's valid, we can get the /me resource - it could be an access token from some other facebook app, right?
–
PapaFreudAug 14 '12 at 12:31

What I do not understand is why you should care about whether the access token belongs to you app, as long as you get the user data out of the token. Maybe I just do not see the whole picture.
–
borisdiakurAug 14 '12 at 13:06

So that nobody else can set up a facebook app, get people to add it, get their access tokens, and use them to talk to our backend on behalf of the user. I'm not sure why they'd want to do this, but still, it's a possible abuse.
–
PapaFreudAug 14 '12 at 14:02

2 Answers
2

You can pass signed_request insted of access_token with every request.
Parameter signed_request based on secret key of your application and you can simple verify it. Read documentation about signed request.

If you use FB.login out of the JS SDK, the response you get does contain a signed_request property. Post that to your server, validate it there … maximum level of security imaginable at this point reached IMHO.
–
CBroeAug 15 '12 at 15:33

You should implement an authentication flow as described in the docs (client or server side). Basically you get a fresh access token by authenticating the user with your app and use that token for requests to your server. This way you can be sure that the token "belongs" to your app. Steps to do:

Initialize a Facebook SDK of your choice with your app ID.

Check whether the user has already authorized your app.

If the user has already authorized your app you get his or her Facebook user id together with the token (which "belongs" to your app), if not: authenticate the user and get the token.

Right... our problem is that we planned to dig out an access token in the front end/mobile app and just pass that to the backend, letting the backend verify the access token with facebook. But a valid access token does not in itself mean that the call to our backend is coming from a trusted party.
–
PapaFreudAug 15 '12 at 9:57

How do you define a trusted party? If you have a valid access token, then you have a valid user, even if the user has not authenticated with or authorized your app.
–
borisdiakurAug 15 '12 at 10:54

That's exactly my point. If you set up a "free beer coupons" facebook app and secretly use your user's access tokens to do stuff in our backend, you're not what I'd call a trusted party... But our own web frontend or mobile apps or whatever are "trusted" to just that. That's why I thought it would be neat to check (in the backend) which facebook app was used to get the access token.
–
PapaFreudAug 15 '12 at 11:56

So how do you get your friend's access token? Try that! That'll be pretty hard if you do not know login and password of your friend. Ok, you might ask him...
–
borisdiakurAug 15 '12 at 12:30

2

Hacker Henry can get innocent Irving's access token by setting up a facebook app that looks like a game or something. Irving signs up for that app, and suddenly Henry has Irving's access token. Henry can then use that access token to log in to our backend, pretending to be Irving.
–
PapaFreudAug 15 '12 at 12:40